Received: by 2002:a05:7412:2a8c:b0:e2:908c:2ebd with SMTP id u12csp3620311rdh; Thu, 28 Sep 2023 18:32:43 -0700 (PDT) X-Google-Smtp-Source: AGHT+IF2tehFA+7fT5HdOePxY5if40KB+pLA0RM/bjhck/J5fHP7rle8r+dzdnYIBL013CY+Wxu8 X-Received: by 2002:a05:6358:71cd:b0:13f:e3eb:53a6 with SMTP id u13-20020a05635871cd00b0013fe3eb53a6mr2760704rwu.30.1695951163543; Thu, 28 Sep 2023 18:32:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1695951163; cv=none; d=google.com; s=arc-20160816; b=t+eEhbZGuvizUInpSlktes7+1j70jHxtUmwLyEHdpAGrXYCEh5FoQZjsXxwTN5S00l Bdg1Y6abh5AQpchb518IYsOYeGuhibGypkzLeV/1PFpTH+Y+bdxPRYTaVS7Gza4siD6O FnXUOjrJXnZbNQKSN7TZVg3Jl7pM6fyOm5ghDyh/13TTxbKl3pH+hrSqPxjMCuBCfuvk TkGAPziEzv6VMtPpeoMdw+yVLSxKsNSVRQmpBAYjiLpQEnrcUGNyiIIGiekr0NUkV/dw qk8HB3hk4LrEzHgvlD75wdDstRks+Dxe9bqxCSNcU1kAxAZL+fBtzHKdLYysSAJNq0sA xXTg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=GzU/p1JZOS32BX69GrPsVBZ9IR4/PAQRYwGFGm6EsOg=; fh=FcOy9TBhrGHmKHVFET+ayHsTdt26ZMVBpwsulYv31+8=; b=OTu8lU4LDTFJ4KeENqQ1mSmJ419JS0EYC1Ty2mLP4oSV9kJpejnMqIm2X8KRd1kALs jyLs/PpJaD3LkbyfGB0H1+aEeotqg8eHGqgQjU9Z5etLV8PCFpZzo4v/QhmG855rh3st 7ieIqhzD8CkKUTmy+ZuBWwTrCc4lOSLtOQJTMDnRb22Lm9whS8imzQJPJycjANuwkEQA QR6hsoB1SA1sBYCj6R9wqZpQJqxwF2z+A4lSNdtcMKNtT0nlD4yRTLEePA5FCM1kLiGS H60YjnOR2bbGYPoKI62ZW0JCE0mQAzYrm1uTvaMUsZLTr5GayUr6Kxw4wUi9PJlbCdLz 1/sg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@digikod.net header.s=20191114 header.b=spWoM0mb; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.31 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from morse.vger.email (morse.vger.email. [23.128.96.31]) by mx.google.com with ESMTPS id q2-20020a632a02000000b005777b0c8f59si20861504pgq.478.2023.09.28.18.32.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 28 Sep 2023 18:32:43 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.31 as permitted sender) client-ip=23.128.96.31; Authentication-Results: mx.google.com; dkim=pass header.i=@digikod.net header.s=20191114 header.b=spWoM0mb; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.31 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by morse.vger.email (Postfix) with ESMTP id 183C983C2243; Thu, 28 Sep 2023 08:28:20 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at morse.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231784AbjI1P2G (ORCPT + 99 others); Thu, 28 Sep 2023 11:28:06 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47164 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231384AbjI1P2F (ORCPT ); Thu, 28 Sep 2023 11:28:05 -0400 Received: from smtp-bc0b.mail.infomaniak.ch (smtp-bc0b.mail.infomaniak.ch [IPv6:2001:1600:3:17::bc0b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2DBB3AC; Thu, 28 Sep 2023 08:28:02 -0700 (PDT) Received: from smtp-2-0000.mail.infomaniak.ch (unknown [10.5.36.107]) by smtp-2-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4RxHRg6mXXzMr3yF; Thu, 28 Sep 2023 15:27:59 +0000 (UTC) Received: from unknown by smtp-2-0000.mail.infomaniak.ch (Postfix) with ESMTPA id 4RxHRf70HvzMppDN; Thu, 28 Sep 2023 17:27:58 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=digikod.net; s=20191114; t=1695914879; bh=5TbzNnbHjMBaw/hqLYXv0/YPa4xbm8wFAcwV61jhk4M=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=spWoM0mbRhMT5nzVdAn/x+LHYB1Jj7njxIUT6IcE5acIQ30gQlXV+o2IIEzE64pGX 6pxI++jHHiSfFtzHTzr8XS7txfAxpFMfUoEvnSGItvez3EgaTB8kteU8Vg2UE93QRW dTTe90yMw7QhhE8jXssngHGNRjxj7mzulpthbxrc= Date: Thu, 28 Sep 2023 17:27:46 +0200 From: =?utf-8?Q?Micka=C3=ABl_Sala=C3=BCn?= To: Eric Paris , James Morris , Paul Moore , "Serge E . Hallyn" Cc: Ben Scarlato , =?utf-8?Q?G=C3=BCnther?= Noack , Jeff Xu , Jorge Lucangeli Obes , Konstantin Meskhidze , Shervin Oloumi , audit@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: Re: [RFC PATCH v1 0/7] Landlock audit support Message-ID: <20230928.wae8Caitha7n@digikod.net> References: <20230921061641.273654-1-mic@digikod.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20230921061641.273654-1-mic@digikod.net> X-Infomaniak-Routing: alpha X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on morse.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (morse.vger.email [0.0.0.0]); Thu, 28 Sep 2023 08:28:20 -0700 (PDT) I talked about this patch series at the Kernel Recipes conference, and you might want to take a look at the future work: https://landlock.io/talks/2023-09-25_landlock-audit-kr.pdf In a nutshell, new syscall flags: * For landlock_create_ruleset() to opt-in for logging ruleset-related and domain-related use * For landlock_add_rule() to opt-in for logging this rule if it granted the requested access * For landlock_restrict_self() to opt-in for: * not log anything * handle a permissive mode to log actions that would have been denied (very useful to build a sandbox) On Thu, Sep 21, 2023 at 08:16:34AM +0200, Mickaël Salaün wrote: > Hi, > > This patch series adds basic audit support to Landlock for most actions. > Logging denied requests is useful for different use cases: > * app developers: to ease and speed up sandboxing support > * power users: to understand denials > * sysadmins: to look for users' issues > * tailored distro maintainers: to get usage metrics from their fleet > * security experts: to detect attack attempts > > To make logs useful, they need to contain the most relevant Landlock > domain that denied an action, and the reason. This translates to the > latest nested domain and the related missing access rights. > > Two "Landlock permissions" are used to describe mandatory restrictions > enforced on all domains: > * fs_layout: change the view of filesystem with mount operations. > * ptrace: tamper with a process. > > Here is an example of logs, result of the sandboxer activity: > tid=267 comm="sandboxer" op=create-ruleset ruleset=1 handled_access_fs=execute,write_file,read_file,read_dir,remove_dir,remove_file,make_char,make_dir,make_reg,make_sock,make_fifo,make_block,make_sym,refer,truncate > tid=267 comm="sandboxer" op=restrict-self domain=2 ruleset=1 parent=0 > op=release-ruleset ruleset=1 > tid=267 comm="bash" domain=2 op=open errno=13 missing-fs-accesses=write_file,read_file missing-permission= path="/dev/tty" dev="devtmpfs" ino=9 > tid=268 comm="ls" domain=2 op=open errno=13 missing-fs-accesses=read_dir missing-permission= path="/" dev="vda2" ino=256 > tid=269 comm="touch" domain=2 op=mknod errno=13 missing-fs-accesses=make_reg missing-permission= path="/" dev="vda2" ino=256 > tid=270 comm="umount" domain=2 op=umount errno=1 missing-fs-accesses= missing-permission=fs_layout name="/" dev="tmpfs" ino=1 > tid=271 comm="strace" domain=2 op=ptrace errno=1 missing-fs-accesses= missing-permission=ptrace opid=1 ocomm="systemd" > > As highlighted in comments, support for audit is not complete yet with > this series: some actions are not logged (e.g. file reparenting), and > rule additions are not logged neither. > > I'm also not sure if we need to have seccomp-like features such as > SECCOMP_FILTER_FLAG_LOG, SECCOMP_RET_LOG, and > /proc/sys/kernel/seccomp/actions_logged > > I'd like to get some early feedback on this proposal. > > This series is based on v6.6-rc2 > > Regards, > > Mickaël Salaün (7): > lsm: Add audit_log_lsm_data() helper > landlock: Factor out check_access_path() > landlock: Log ruleset creation and release > landlock: Log domain creation and enforcement > landlock: Log file-related requests > landlock: Log mount-related requests > landlock: Log ptrace requests > > include/linux/lsm_audit.h | 2 + > include/uapi/linux/audit.h | 1 + > security/landlock/Makefile | 2 + > security/landlock/audit.c | 283 +++++++++++++++++++++++++++++++++++ > security/landlock/audit.h | 88 +++++++++++ > security/landlock/fs.c | 169 ++++++++++++++++----- > security/landlock/ptrace.c | 47 +++++- > security/landlock/ruleset.c | 6 + > security/landlock/ruleset.h | 10 ++ > security/landlock/syscalls.c | 12 ++ > security/lsm_audit.c | 26 ++-- > 11 files changed, 595 insertions(+), 51 deletions(-) > create mode 100644 security/landlock/audit.c > create mode 100644 security/landlock/audit.h > > > base-commit: ce9ecca0238b140b88f43859b211c9fdfd8e5b70 > -- > 2.42.0 >